Secure Coding Practices
Input validation, output encoding, error handling, and secure development lifecycle.
Overview
Secure coding prevents vulnerabilities at the source.
Input Validation
# Whitelist validation
import re
def validate_username(username):
if not re.match(r'^[a-zA-Z0-9_]{3,20}$', username):
raise ValueError("Invalid username")
return username
# Type checking
def validate_age(age):
if not isinstance(age, int) or not (0 <= age <= 150):
raise ValueError("Invalid age")
return age
Output Encoding
# HTML encoding
import html
def encode_html(text):
return html.escape(text)
# JavaScript encoding
def encode_js(text):
return text.replace('\\', '\\\\')
.replace("'", "\\'")
.replace('"', '\\"')
.replace('\n', '\\n')
.replace('\r', '\\r')
SQL Injection Prevention
# Parameterized queries
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
# ORM usage
user = User.query.filter_by(id=user_id).first()
XSS Prevention
# Content Security Policy
@app.after_request
def add_csp(response):
response.headers['Content-Security-Policy'] = "default-src 'self'"
return response
# Auto-escaping templates (Jinja2)
return render_template('index.html', user_input=user_input)
Error Handling
# Don't expose internals
try:
result = risky_operation()
except Exception as e:
logger.error(f"Operation failed: {e}")
return jsonify({"error": "Internal server error"}), 500
Secure Development Lifecycle
Architecture Diagram
1. Requirements → Security requirements
2. Design → Threat modeling
3. Implementation → Secure coding
4. Testing → Security testing
5. Deployment → Secure configuration
6. Maintenance → Patch management
Code Review Checklist
- Input validation present
- Output encoding implemented
- Parameterized queries used
- Error handling secure
- Authentication enforced
- Authorization checked
- Secrets not hardcoded
- Dependencies updated
Practice
Review code for vulnerabilities and implement fixes.